Re: Using a standard cookie for opt-in exceptions (was: TPE sec 6.11 on clearing granted exceptions)

We considered magic cookies when Roy proposed them in Santa Clara, November, 2011.
http://www.w3.org/2011/11/01-dnt-minutes.html

As I recall (and as I understand the minutes) we did not prefer that approach. Browsers aren't exactly sure how to treat these magic cookies (would they always be cleared with other cookies?), it overloads the mechanism, and may not express the same clarity of affirmative consent.

And John Simpson wrote up some text to the mailing list:
http://lists.w3.org/Archives/Public/public-tracking/2011Nov/0084.html
... with largely negative responses in the subsequent thread (technology specific, not all devices may use cookies, DNT users may often clear cookies).

Using cookies instead of DNT:0 also makes it difficult, perhaps impossible, for first party sites (which we expect to be the one requesting these site-wide exceptions) to install them for every third party on their site. That is, if you're a publisher, and you ask your visitor for permission for third party ad networks on your site to track the user, cookies can't handle that communication. That was always an explicit goal of user-agent-managed exceptions, to avoid the need for additional standards for server-to-server communication to imply that this user really does have an exception.

And it creates the potential for mixed signals, as in Roy's example below. (Rather than sending you DNT: 1 and Cookie-DNT: 0, why not just send DNT: 0? Or, in the more common case, a third party receives DNT: 1 and some other signal through a URL parameter or server-to-server communication from the first party indicating that they got an exception.)

I suggest we continue with DNT:0 rather than magic cookies, as I understood we had previously decided.
Thanks,
Nick

On Apr 26, 2013, at 12:55 PM, "Roy T. Fielding" <fielding@gbiv.com> wrote:

> On Apr 26, 2013, at 11:42 AM, Rigo Wenning wrote:
>> On Friday 26 April 2013 01:31:29 Roy T. Fielding wrote:
>>> I don't think I was clear.  Currently, the only advantage the UGE
>>> framework has is that it doesn't get cleared when cookies get cleared.
>>> If that isn't true, we should delete the entire framework and replace
>>> it with a named cookie that is sent along with the DNT:1 signal. Then
>>> we wouldn't have to wait until all browsers implement UGEs and we
>>> wouldn't have to implement two different opt-in consent mechanisms.
>> 
>> The argument so far was to provide a persistent store that would survive 
>> clearing cookies. This was one of the main selling arguments for DNT. As 
>> people clear cookies once a month at least, the exceptions would not be 
>> persistent at all. If this is the case, we would not need any DNT - 
>> header anyway as the entire thing could operate with cookies. 
> 
> Well, no, the DNT header field needs to be more persistent than a
> cookie and I don't want sites to be able to set its value.  What
> I meant is that the DNT header field would always be sent with the
> user's general preference and a specially named cookie would be
> set by sites after they have confirmed an exception with the user.
> This would not be a problem in the EU because the consent dialog
> would be asking permission to set the consent cookie.
> 
> After consent is granted, the site sets a cookie and the user agent
> would thereafter send something like
> 
>   DNT: 1
>   Cookie: w3dnt=0
> 
> to indicate that an exception has been granted to this site.
> 
> Hence, the w3dnt cookie acts as the opt-in signal when DNT:1 is
> being sent, or when no DNT is sent for regional contexts that
> require an opt-in.  Cookies are safe to use as an opt-in because
> the result of a general cookie purge would be a reversion to DNT:1
> (or the regional default for unset).
> 
> This mechanism would work for all existing browsers. There would be
> no need for an additional database for UGE.  There would be no need
> for an additional database lookup on every request because it just
> gets dropped into the cookie lookup the browser already does.
> 
> Browsers could then be extended to support additional manipulations
> of these named cookies within their normal cookie storage, including
> a UI for managing such cookies and options for *not* clearing them
> when the other cookies are cleared.  This would work only for updated
> browsers, and could be entirely defined by competition in the browser
> space.
> 
> The drawback of this mechanism is that sites can't set the cookie
> for other sites in their same-party that do not share the same TLD.
> I can live with that.  Yes, it is less good for multisite parties
> than a fully functional UGE API which can provide an exception to
> an entire array of sites in one go.  OTOH, it has already been
> implemented by browsers and would allow us to implement a single
> opt-in mechanism for all of them (including old browsers).
> 
> A harder question is what to do about ad auctions wherein the user
> has consented for personalization at this site (including its ads)
> but does not consent to the unknown ad auction companies harvesting
> their data.  For that scenario, I would allow the site to send a signal
> to the auction (in the form of a URI parameter indicating the site
> has consent for personalization of ads) that would allow auction
> participants to see both DNT:1 and that signal and know that they
> can use the data they already know about the user, and the context
> of the page in which this ad is appearing, but cannot use the data
> received in *this* ad request for later tracking or append unless
> it will be siloed by first party or the user has separately
> consented to tracking by the ad provider (i.e., the user already
> has another w3dnt cookie set for that third party).
> 
> Hence, the ads can then be personalized for a site without the
> user consenting to further tracking of this request by the third
> party, which I am hoping would satisfy Aleecia's concern and
> enable ad-revenue dependent sites to support DNT without losing
> the substantial premium of auction-based ads.
> 
> 
> Cheers,
> 
> Roy T. Fielding                     <http://roy.gbiv.com/>
> Senior Principal Scientist, Adobe   <https://www.adobe.com/>
> 
> 

Received on Friday, 26 April 2013 20:26:41 UTC